Wednesday, December 24, 2008

Use SSL in IIS to protect the communication channel between your WCF enabled web application and the web client. SSL protects sensitive data on the network from being stolen or modified.

The following are the steps to configure certificates for Secure Sockets Layer (SSL) communication in IIS.

1. Click Start and then click Run.2. In the Run dialog box, type inetmgr and then click OK.3. In the Internet Information Services (IIS) Manager dialog box, expand the (local computer) node, and then expand the Web Sites node.4. Right-click Default Web Site and then click Properties.5. In the Default Web Site Properties dialog box, click the Directory Security tab, and then in the Secure Communications section, click Server Certificate.6. On the Welcome screen of the Web Server Certificate Wizard, click Next to continue.7. On the Server Certificate screen, select the Assign an existing certificate radio button option, and then click Next.8. On the Available Certificates screen, select the certificate you created and installed in previous step, and then click Next.9. Verify the information on the certificate summary screen, and then click Next.10. Click Finish to complete the certificate installation.11. In the Default Web Site Properties dialog box, click OK.

The value "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" should be the one returned by findprivatekey

Wednesday, December 17, 2008

The DBMS_ASSERT package was introduced in Oracle 10g Release 2 and backported to Release 1 in the Oracle October 2005 Critical Patch Update. There are currently no references to this package in the 10g Release 2 documentation or on Metalink. The package contains a number of functions that can be used to sanitize user input and help to guard against SQL injection in applications that don't use bind variables.

ENQUOTE_LITERAL FunctionEnquotes a string literalENQUOTE_NAME FunctionEncloses a name in double quotesNOOP FunctionsReturns the value without any checkingQUALIFIED_SQL_NAME FunctionVerifies that the input string is a qualified SQL nameSCHEMA_NAME FunctionVerifies that the input string is an existing schema nameSIMPLE_SQL_NAME FunctionVerifies that the input string is a simple SQL nameSQL_OBJECT_NAME FunctionVerifies that the input parameter string is a qualified SQL identifier of an existing SQL object

It is this DBMS_Assert Package that that guarantees immunity to SQL Injection.

There are three kinds of SQL literal: text, datetime, and numeric. Each deserves separate attention.

Ensuring safety of Datetime literal

Use the two-parameter overload, for an input of datatype date, To_Char(d, Fmt), to compose a SQL datetime literal

Concatenate one single quote character before the start of this value and one single quote character after its end.

Assert that the result is safe with DBMS_Assert.Enquote_Literal().

Compose the date predicate in the SQL statement using the two-parameter overload for To_Date(t, Fmt) and using the identical value for Fmt as was used to compose t.

Notice that the mandate in the third bullet is the crucial one. It is this one that guarantees immunity to injection; the first two and the fourth mandates prevent annoying run-time errors.

The procedure p_Safe(), whose first few lines are shown in code below implements this approach. Of course, date is not the only datetime datatype. The same reasoning applies for, for example, a timestamp literal.

The rules for composing a safe SQL text literal from a PL/SQL text value:

Replace each singleton occurrence, within the PL/SQL text value, of the single quote character with two consecutive single quote characters.

Concatenate one single quote character before the start of the value and one single quote character after the end of the value.

Assert that the result is safe with DBMS_Assert.Enquote_Literal()

Notice that the mandate in the third bullet is the crucial one. It is this one that guarantees immunity to injection; the first mandate prevents annoying run-time errors.

Ensuring the safety of a SQL numeric literal or simple SQL name

The rules for composing a safe SQL numeric literal from a PL/SQL numeric value:

Use explicit conversion with the To_Char() overload with three formal parameters. This overload requires that a value be supplied for Fmt. Explicitly provide the value that supplies the default when the overload with one formal parameter is used. This is 'TM'. 'TM' is the so-called text minimum number format model. It returns the smallest number of characters possible in fixed notation unless the output exceeds 64 characters.

Explicitly provide the value that supplies the default for the NLS_Numeric_Characters parameter when the one of the overloads with one or two formal parameters is used. This is '.,'.

Tuesday, December 16, 2008

NATs and firewalls can impact the strategy by which your WCF clients and services communicate.Use the following steps to determine WCF configuration for a NAT or firewall:

1. Determine the addressability of the service and client machines. If the service or the client are behind a NAT and are not directly addressable then use a technology such as Microsoft Teredo to enable communication.2. Determine if there are protocol or port constraints on the service or client machines. For example, port 80 may be open through a firewall but other ports may be blocked.

Once you understand the addressability, protocol and port constraints on your service and its clients you can determine service and endpoint configuration. Use the table in the MSDN article “Working with NATS and Firewalls” at http://msdn.microsoft.com/en-us/library/ms731948.aspx to determine the best configuration for your scenario.

The Pan India Solutions Community has been created to provide a networking platform to software professionals,business analyst,technology analyst and students planning for a career in the field of IT Solutions.

Monday, December 15, 2008

Perform the following steps to avoid sending cleartext passwords over the network:

If possible, remove the need for a password at all by specifying ClientCredentialType=”Windows”, ClientCredentialType=”Certificate”, or a custom token that does not require a password.

If the user must enter a password, protect the password by specifying either to secure the channel or to secure the messages. Do not specify in the configuration as this will provide no communication security.

About Me

He is involved in Application Security Consulting and establishing App Security across SDLC. He also conducts security workshops for the developer community. Besides interest in App Security, he likes Performance Testing and tuning of web applications.